Reflections on My Interview with Hui Chen on Compliance Program Effectiveness

Chen rarely spoke about the Evaluation Guidance because Justice Department rules forbid her from doing so. So when she finally could speak freely, it was an education that left me with two guiding insights.

Hui Chen left her job as in-house compliance counsel for the Justice Department at the end of June, and I had the good fortune to be the first person to interview her post-departure.

The political overtones of Chen’s decision to leave were well known even then. So when I conducted a podcast interview with Chen, I stuck with a subject that all compliance officers can appreciate regardless of political inclinations: how to evaluate the effectiveness of compliance programs.

After all, Chen was the principal author of the Justice Department’s guidance released in February 2017, “Evaluation of Corporate Compliance Programs.” Chen previously worked in compliance for Microsoft and Standard Chartered, among others. She spent 20 months working with prosecutors in the Justice Department’s Fraud Section—helping them to understand how compliance programs really work in the corporate world, and how to focus their questions about compliance programs in useful ways.

That said, Chen rarely spoke about the Evaluation Guidance because Justice Department rules forbid her from doing so. So when she finally could speak freely, it was an education that left me with two guiding insights.

Know How to Use the Guidance

First, using the guidance to build a program and using it to defend your program are two different exercises. In our interview, Chen emphasized that the Evaluation Guidance was intended for Justice Department prosecutors rather than corporate compliance professionals; hence its format as a list of questions (scores of them) that prosecutors might ask.

Likewise, your legal department will use the guidance in the same way: trying to match compliance program practices to specific allegations, so it can defend the company’s actions.

Her point has more implications than one might first realize. When DOJ prosecutors pick up the Evaluation Guidance and start asking about your compliance program, they’ll ask questions about specific allegations and fact patterns. Likewise, your legal department will use the guidance in the same way: trying to match compliance program practices to specific allegations, so it can defend the company’s actions.

A compliance officer building a program has no specific allegations driving your decisions. You might have a good sense of which compliance risks your company is likely to encounter, or how you may encounter them. Indeed, the open-ended nature of this guidance for compliance officers underlines the importance of a risk assessment, so you can have that sense of things.

But you won’t have any specific facts you can anticipate, any more than someone taking a self-defense course knows where an attacker’s punch will land. An effective compliance program will be a robust program, that can answer the numerous lines of questioning that regulators might one day ask.

Learn from Your Mistakes

Second, take advantage of your compliance failures. Chen was honest when she said compliance failures happen all the time, and usually they’re of no harm to the company—but they happened somehow. So they offer a valuable opportunity to perform root cause analyses and see what went wrong.

The fault might be weak training, flawed segregation of duties, outdated policies, a manager who ignores the importance of compliance, or any number of other reasons. Find it and identify it (an internal audit team, if you have one, will be well-suited to do this), before that harmless compliance failure evolves into something more serious.

Putting the Pieces Together

The more I consider Chen’s remarks, and the themes mentioned in the Evaluation Guidance, the more several steps strike me as something compliance officers should consider.

As always, begin with a risk assessment. You cannot build a versatile, robust compliance program if you don’t understand the risks your organization might encounter and how you might encounter them.

Think in terms of reducing those risks, not demonstrating work. If the goal is to build a robust compliance program that can address many different types of misconduct that might emerge, then you need to think about effective policy management, strong tone at the top, a cohesive culture built on the values of ethical conduct. That’s not the same as documenting the actions your compliance program takes. You want to show progress.

Identify root causes of failures, and address them. Compliance failures will almost always trace back to poor control design (a control didn’t work as intended) or poor control environment (people just didn’t take ethical conduct seriously). A determined compliance officer, often working with others in the Second Line of Defense, can remedy them. And remedying compliance failures that aren’t even material is a strong sign of how seriously a company takes its compliance duties.

Throughout my interview with Chen, she stressed the importance of showing the logic behind a compliance program and progress toward improvement. That’s what the three steps above can bring. Applied to specific allegations, they may or may not save the day as you meet with regulators. Applied to the blank slate of a compliance program, regardless of any misconduct that may or may not exist, they bring you that much closer to an effective compliance program—which is what we all want.